Jump to content


Photo
- - - - -

Blocking IP from Amsterdam (95.211.194.79)


  • This topic is locked This topic is locked
12 replies to this topic

#1 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 06 September 2013 - 10:52 AM

Last month (2013-Aug-06) we first encountered an alert from our Trend Worry-Free Business Security server of a URL that was being blocked by the Web Reputation rules (95.211.194.79). Trend is blocking this IP, so there must be some knowledge of what lies on the other side, but I have been unable to find any documentation on what is causing these connections at the rate of several per minute (leading to the Web Reputation limit striking the alert of >200 hour). This morning (2013-Sep-06) the URL Filtering alarm went off again. Checking the logs showed me the same computer that was infected (and thought to have been cleaned) from the August alarm as well as an additional infection coming from someone else. Googling this IP has led me to several other forums that describe the same kind of infection to this IP that traces back to an IP owned by LeaseWeb in Amsterdam, Netherlands but no one seems to have found a root source of these connections.

 

Here's what I've found so far....

 

When the initial infection occurred I did full offline system scans with multiple anti-malware programs, including Trend, MBAM, Kaspersky, ClamWin, and Windows Defender. All found and removed different things and after returning the system to live running Windows status the alarms did not return until this morning. Now that they've returned and I've searched elsewhere I think I can assume that this is not a well-known piece of malware at this point. Which leads me to wonder if Trend (and apparently MBAM pro) are blocking access to this particular IP, but are there others that this malware is attempting to use that are NOT being blocked that are allowing malicious payloads to be deposited (and re-deposited) on these systems? I should also note that the second computer showing up in the URL blocking this morning showed activity a few days ago and I again ran all of the above scans, but this time came back with nothing found.

 

The two attachments to this post are a combined log from the URL filtering events and some data I captured from Fiddler2 about those URLs. As you can see from the Trend logs, the IP address is always the same (95.211.194.79) and then followed by a /d/{8 random alphanumeric}/{32 random alphanumeric}/AA/{single digit 0-9}. Analyzing the 452 samples I have in the log, there are only 3 unique 8-length alphanumeric strings, but 126 unique 32 length alphanumeric strings. Combined, there are 382 unique URLs out of the 452 samples.

 

Moving on to the Fiddler2 logs, I obviously wasn't going to test all 382 unique URL's so you will only see the first 10 out of the Trend logs. However, you can still start to see a pattern emerge with just those 10 samples. The initial (blocked) URL redirects you to 46.229.165.122, which in turn redirects you to 46.229.165.121, which in turn redirects you to another page. Nine out of the 10 URL's in the Fiddler log finish at ads.featurelink.com with the 10th (3rd on in the log) having one more redirect to c.tdsgo.com which then dumps you at acuerdos.info. 

 

So.....what can I do to find this, clean it, and prevent it from getting back into our systems so I can sleep a bit easier and not worry about (this threat) potentially stealing our data/passwords or some other nefarious activity it may be doing?

Attached Files



#2 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 09 September 2013 - 01:29 PM

I forgot to mention that if you look at the Fiddler logs, the entries that end at ads.featurelink.com appear to contain some obfuscated javascript code. Who knows what that's trying to accomplish....



#3 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 16 September 2013 - 07:00 PM

Hello and :welcome:

If you've not already done so please start here and post back the 2 log files DDS.txt and Attach.txt

P2P/Piracy Warning:
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 



Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)


STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.



Link 1
Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.


STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.



  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit



  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.

 

 


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#4 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 17 September 2013 - 10:40 AM

Here are the first logs as requested, gathering the other info now:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by sullivas at 11:18:53 on 2013-09-17
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3292.2511 [GMT -4:00]
.
AV: Trend Micro Security Agent *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Program Files\Purgos 3.0\PurgosAgent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\snmptrap.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DYMO\DYMO Label Software\DLSService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by Lancaster City Bureau of Police
uSearch Page =  http://www.bing.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\client server security agent\TmIEPlg.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe" -startup
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Windows\System: ExcludeProfileDirs = Local Settings;Temporary Internet Files;History;Temp
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: docstar
Trusted Zone: lpdprintnew
Trusted Zone: docstar
Trusted Zone: lpdprintnew
TCP: NameServer = 10.17.8.21 10.17.8.22
TCP: Interfaces\{DFB5C8E0-1D2D-4EDF-9D59-B803C231C2FF} : DHCPNameServer = 10.17.8.21 10.17.8.22
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\TmIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages =  msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-3-17 24064]
R2 PurgosAgent;Purgos Remote Agent;c:\program files\purgos 3.0\PurgosAgent.exe [2009-9-30 1773568]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2013-8-19 62728]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXpflt.sys [2012-12-4 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\TmPreflt.sys [2012-12-4 36664]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-17 2066968]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-5-30 1589704]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-17 166568]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2013-9-17 105176]
R3 TmProxy;Trend Micro Security Agent NT Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2012-8-8 689712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe --> c:\temp\clt-inst\vpremote.exe [?]
.
=============== Created Last 30 ================
.
2013-09-17 13:52:00 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-09-17 13:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2013-09-17 13:50:31 48728 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-09-10 16:14:21 -------- d-----w- c:\documents and settings\all users\application data\RICOH
2013-08-23 18:47:46 279040 ----a-w- c:\windows\system32\RICFAXJC32.DLL
2013-08-19 15:45:31 74600 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2013-08-19 15:45:31 62728 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
.
==================== Find3M  ====================
.
2013-07-18 19:57:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-18 19:57:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 11:20:02.15 ===============
 
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/21/2010 6:05:23 PM
System Uptime: 9/12/2013 10:42:59 AM (121 hours ago)
.
Motherboard: Dell Inc. |  | 0C27VV
Processor: Intel® Core™2 Duo CPU     E8400  @ 3.00GHz | CPU | 1974/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 126.468 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free.
L: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.
P: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.
R: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.
S: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.
V: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.
Z: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
32 Bit HP BiDi Channel Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.5
Adobe Shockwave Player 11.5
Archive Player
Backup CD Player
BDE
BioAPI Framework
CamStudio
Catalyst Control Center InstallProxy
CCleaner
Cody6
CutePDF Writer 2.8
DCP32MMWrapper
Dell Control Point
Dell ControlPoint Security Manager
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Divar XF 2.56 PC Software
Document Manager Lite
DYMO Label v.8
Easy Street Draw Internet ActiveX Control 2.1
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
FileNet IDM Viewer 3.3
Gemalto
Geovision Codec
Google Earth
Google SketchUp 7
Google Toolbar for Internet Explorer
Google Update Helper
GPL Ghostscript 8.70
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB976098-v2)
ImageVault Playback
Intel® Graphics Media Accelerator Driver
Intel® Network Connections 14.8.43.0
Intel® Active Management Technology
Intel® Matrix Storage Manager
Intellex CD-Player
Internet Explorer
Java Auto Updater
Java™ 6 Update 24
K-Lite Codec Pack 3.1.5 Full
LAN-Fax Utilities
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mocha W32 TN5250 -- software from MochaSoft
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser (KB927977)
NTRU TCG Software Stack
OGA Notifier 2.0.0048.0
Olympus DSS Player Pro
Paint.NET v3.5.4
PDFCreator
Playback 2.3.0.4
PowerDVD DX
Preboot Manager
Private Information Manager
Purgos 3.0 Agent
RMS
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813347)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Security Wizards
SO32MMWrapper
ST Microelectronics TPM Driver Installer
Trend Micro Worry-Free Business Security Agent
Trusted Drive Manager
tsp patch
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2808679)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
UPEK TouchChip Fingerprint Reader
USB Playback Console
User Profile Hive Cleanup Service
VLC media player 1.0.5
Wave Infrastructure Installer
Wave Support Software
WaveReader Ver 4-0
WebFldrs XP
Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6)
Windows Driver Package - STMicroelectronics (stmtpm) System  (05/24/2007 1.00.04.15)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
9/17/2013 10:30:02 AM, error: TermServDevices [1111]  - Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.
9/12/2013 4:02:20 AM, error: Tcpip [4199]  - The system detected an address conflict for IP address 10.17.8.130 with the system having network hardware address 00:24:81:00:10:BE. Network operations on this system may be disrupted as a result.
9/11/2013 3:32:49 PM, error: Dhcp [1002]  - The IP address lease 10.17.8.99 for the Network Card with network address 002564C9A060 has been denied by the DHCP server 10.17.8.25 (The DHCP Server sent a DHCPNACK message).
9/11/2013 3:17:29 PM, error: Tcpip [4199]  - The system detected an address conflict for IP address 10.17.8.99 with the system having network hardware address 00:25:64:BD:E9:B4. Network operations on this system may be disrupted as a result.
9/10/2013 6:19:39 PM, error: Print [22]  - Failed to ugrade printer settings for printer \\lpdprint01\AdminCopier,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\ricA2Mui.dll error 6.
.
==== End Of File ===========================
 

 



#5 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 17 September 2013 - 11:15 AM

RogueKiller log:

 

RogueKiller V8.6.11 [Sep 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : sullivas [Admin rights]
Mode : Scan -- Date : 09/17/2013 11:51:39
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (Unknown @ 0x89CD1B74)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8AF923D4)
[Address] SSDT[47] : NtCreateProcess @ 0x805D1280 -> HOOKED (Unknown @ 0x8A3AEC0C)
[Address] SSDT[48] : NtCreateProcessEx @ 0x805D11CA -> HOOKED (Unknown @ 0x8A561864)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A3E3464)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A2CF0FC)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8AF7F1BC)
[Address] SSDT[63] : NtDeleteKey @ 0x80624706 -> HOOKED (Unknown @ 0x8A5688D4)
[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (Unknown @ 0x8A56B754)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A3E3424)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A2CF0BC)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A3C0844)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A38DFA4)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A3CD84C)
[Address] SSDT[192] : NtRenameKey @ 0x80623C8C -> HOOKED (Unknown @ 0x8A568894)
[Address] SSDT[204] : NtRestoreKey @ 0x80625C4A -> HOOKED (Unknown @ 0x8A56B794)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8AF92394)
[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (Unknown @ 0x89CD1B34)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A3E49EC)
[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A56A9DC)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A38DF64)
[Address] Shadow SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8A5910A4)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89A2F0EC)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
127.0.0.1       lpdpatrol25 # LMS GENERATED LINE
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD1600AAJS-75M0A0 +++++
--- User ---
[MBR] 8e16af64dad476dcef72b79d55a111e4
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 152499 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_09172013_115139.txt >>


#6 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 17 September 2013 - 06:50 PM

Thanks,  nothing strange so far in the logs.

 

Please fully disable Trend while running the scans below so that it does not interfere with the results.

 

Your System Restore appears to be disabled.  Please enable it and create a new System Restore Point

 

Please uninstall ALL versions of Java as you have an old compromised version installed on the system.

 

 

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.


  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 05
Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.


  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#7 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 18 September 2013 - 07:59 AM

I believe we may have found the culprit here. After much digging to find the source of the connections (via SysInternals TCPView), we found a file called wow.dll (residing in the users' Temp directories) hooked into explorer.exe. This led us to a Microsoft Malware Protection center article that identified the infection as Trojan:Win32/Alureon.GQ (http://www.microsoft...V3Index=5#tab=2)

 

We found some removal instructions and our logs/alerts have been quiet since yesterday afternoon when we removed the infection. It also appears you've encountered this one before (http://forums.malwar...howtopic=128418). We were able to isolate and make a copy of the malware files. Is there anyway we can send a copy to you to help get a detection signature into MBAM?



#8 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 18 September 2013 - 02:59 PM

Yes, please zip and attach the file and I will submit it

 

You may want to proceed with the other instructions though to ensure other trace entries are removed as most of these type of infections also come with at least PUP (Possibly Unwanted Program) entries, but that's up to you.

 

Thank you


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#9 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 20 September 2013 - 12:25 PM

Well, I thought we had the files (plural) but it turns out we just have the ini file that the wow.dll file uses for it's connection settings. Sorry, not sure where the dll file got to.

 

Here it is anyway for what it's worth.

 

Attached File  wow.zip   196bytes   3 downloads



#10 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 20 September 2013 - 04:38 PM

Okay, thanks.  Let me know if you want to run the other scans or not and if not we'll go ahead and close up here.

 

Thanks again


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#11 sully213

sully213

    New Member

  • Members
  • Pip
  • 7 posts

Posted 20 September 2013 - 09:55 PM

No, I think we're OK at this point and you can lock things up. Thank you for the help.



#12 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 21 September 2013 - 12:14 AM

Okay then we'll close up, however if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

  • Turn off all active protection software including your antivirus.
  • Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • Please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

CF-Uninstall.png



Remove the rest of the tools used:



Please download OTCleanIt and save it to your Desktop. This tool will remove all the tools we used to clean your pc.


  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.



AdwCleaner Removal:
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes

ESET antivirus Removal:
  • This tool can be uninstalled via the Control Panel, Programs, Uninstall

If there are any other left over Folders, Files, Logs then you can delete them on your own.

Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

 
If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#13 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,975 posts
  • Gender:Male
  • Location:US

Posted 24 September 2013 - 03:04 AM

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users